

<!DOCTYPE html>
<html class="writer-html5" lang="en" data-content_root="../">
<head>
  <meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <title>FAQ &mdash; IVRE  documentation</title>
      <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=80d5e7a1" />
      <link rel="stylesheet" type="text/css" href="../_static/css/theme.css?v=e59714d7" />
      <link rel="stylesheet" type="text/css" href="../_static/graphviz.css?v=4ae1632d" />

  
      <script src="../_static/jquery.js?v=5d32c60e"></script>
      <script src="../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
      <script src="../_static/documentation_options.js?v=5929fcd5"></script>
      <script src="../_static/doctools.js?v=9bcbadda"></script>
      <script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
    <script src="../_static/js/theme.js"></script>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Installation" href="../install/index.html" />
    <link rel="prev" title="Screenshots gallery" href="screenshots.html" /> 
</head>

<body class="wy-body-for-nav"> 
  <div class="wy-grid-for-nav">
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search" >

          
          
          <a href="../index.html" class="icon icon-home">
            IVRE
              <img src="../_static/logo.png" class="logo" alt="Logo"/>
          </a>
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>
        </div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
              <ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Overview</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="principles.html">Principles</a></li>
<li class="toctree-l2"><a class="reference internal" href="screenshots.html">Screenshots gallery</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">FAQ</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#web-interface">Web interface</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#notebook-shows-forbidden">Notebook shows “Forbidden”</a></li>
<li class="toctree-l4"><a class="reference internal" href="#the-web-interface-shows-no-result">The Web interface shows no result</a></li>
<li class="toctree-l4"><a class="reference internal" href="#how-can-i-restrict-access-to-ivre-s-web-interface">How can I restrict access to IVRE’s Web interface</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#scanning-the-internet-is-slow">Scanning the Internet is slow!</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#use-masscan-rather-that-nmap">Use Masscan rather that Nmap</a></li>
<li class="toctree-l4"><a class="reference internal" href="#parallelize-nmap-scans">Parallelize Nmap scans</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#can-ivre-be-used-to-look-for-xxx">Can IVRE be used to look for XXX?</a></li>
<li class="toctree-l3"><a class="reference internal" href="#how-can-i-configure-iptables-to-get-logs-used-by-flow2db-tool">How can I configure iptables to get logs used by flow2db tool</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../install/index.html">Installation</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../usage/index.html">Usage</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../dev/index.html">Development</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Licenses:</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../license.html">IVRE: GPL v3</a></li>
<li class="toctree-l1"><a class="reference internal" href="../license-external.html">Licenses for external files</a></li>
</ul>

        </div>
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../index.html">IVRE</a>
      </nav>

      <div class="wy-nav-content">
        <div class="rst-content">
          <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="index.html">Overview</a></li>
      <li class="breadcrumb-item active">FAQ</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../_sources/overview/faq.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
             
  <section id="faq">
<h1>FAQ<a class="headerlink" href="#faq" title="Link to this heading"></a></h1>
<p>If you cannot find the answer to your question, either here or in this
documentation, feel free to <a class="reference external" href="https://github.com/ivre/ivre/issues/new">open an issue</a> and use the label
“question”.</p>
<section id="web-interface">
<h2>Web interface<a class="headerlink" href="#web-interface" title="Link to this heading"></a></h2>
<section id="notebook-shows-forbidden">
<h3>Notebook shows “Forbidden”<a class="headerlink" href="#notebook-shows-forbidden" title="Link to this heading"></a></h3>
<p><strong>I cannot access the notepad (the Dokuwiki content), and get a
“Forbidden” message.</strong></p>
<p>You need to configure your web server to allow access from other hosts
on the network to the Dokuwiki content. It is often restricted, by
default, to local users only. If you are using Apache, you can look
for an ACL like <code class="docutils literal notranslate"><span class="pre">Allow</span> <span class="pre">from</span> <span class="pre">localhost</span> <span class="pre">127.0.0.1</span> <span class="pre">::1</span></code> and adapt it to
your network.</p>
</section>
<section id="the-web-interface-shows-no-result">
<h3>The Web interface shows no result<a class="headerlink" href="#the-web-interface-shows-no-result" title="Link to this heading"></a></h3>
<p><strong>I have inserted scan results, yet when I open the Web interface, it
remains empty.</strong></p>
<p>Two problems can explain this situation:</p>
<ul class="simple">
<li><p>The results are stored in the scan collection, but no view has been
created (the Web interface displays results from the view).</p></li>
<li><p>The Web interface does not access the database for some reason.</p></li>
</ul>
<p>First, from the command line, check that a view has been created by
running <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">view</span> <span class="pre">--count</span></code>. If it displays <code class="docutils literal notranslate"><span class="pre">0</span></code>, it means that
while you have inserted results in the <code class="docutils literal notranslate"><span class="pre">scan</span></code> database, you have not
updated the <code class="docutils literal notranslate"><span class="pre">view</span></code> (see <a class="reference internal" href="principles.html#purposes"><span class="std std-ref">Purposes</span></a>). You
can create a view by using the <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">db2view</span></code> CLI tool.</p>
<p>If <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">view</span> <span class="pre">--count</span></code> does not display <code class="docutils literal notranslate"><span class="pre">0</span></code> but a (positive!)
number, it means that, for some reason, the CGI cannot access the
database. It could be because you are using a user-specific
configuration (in <code class="docutils literal notranslate"><span class="pre">~/.ivre.conf</span></code>) and the CGI application runs with
a different user. To investigate the problem, you have to check the
Web server error logs.</p>
</section>
<section id="how-can-i-restrict-access-to-ivre-s-web-interface">
<h3>How can I restrict access to IVRE’s Web interface<a class="headerlink" href="#how-can-i-restrict-access-to-ivre-s-web-interface" title="Link to this heading"></a></h3>
<p><strong>I want to prevent unauthorized access to IVRE’s results.</strong></p>
<p>First, you have to configure your web server to authenticate remote
users. The most important, of course, is to protect access to CGI files
(the static files are publicly available and do not contain any result).</p>
<p>In an AD or Kerberos environment for example, Apache can be configured
to provide SSO authentication.</p>
<p>Then, if you want to restrict access to the results based on the user
login or domain, you can add the following lines to <code class="docutils literal notranslate"><span class="pre">/etc/ivre.conf</span></code>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">WEB_DEFAULT_INIT_QUERY</span> <span class="o">=</span> <span class="s1">&#39;noaccess&#39;</span>
<span class="n">WEB_INIT_QUERIES</span> <span class="o">=</span> <span class="p">{</span>
    <span class="s1">&#39;admin@SUBNETWORK.NETWORK.AD&#39;</span><span class="p">:</span> <span class="s1">&#39;category:SubNetwork&#39;</span><span class="p">,</span>
    <span class="s1">&#39;@ADMIN.NETWORK.AD&#39;</span><span class="p">:</span> <span class="s1">&#39;full&#39;</span><span class="p">,</span>
<span class="p">}</span>
</pre></div>
</div>
<p>By default, users won’t have access to any result. The user
<code class="docutils literal notranslate"><span class="pre">admin&#64;SUBNETWORK.NETWORK.AD</span></code> will have access to the results in the
category <code class="docutils literal notranslate"><span class="pre">SubNetwork</span></code>. The users in the <code class="docutils literal notranslate"><span class="pre">ADMIN.NETWORK.AD</span></code> realm
will have access to all the results.</p>
</section>
</section>
<section id="scanning-the-internet-is-slow">
<h2>Scanning the Internet is slow!<a class="headerlink" href="#scanning-the-internet-is-slow" title="Link to this heading"></a></h2>
<p>This is based on <a class="reference external" href="https://github.com/ivre/ivre/issues/822">issue GH#822</a>.</p>
<p>When running <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">runscans</span> <span class="pre">--routable</span> <span class="pre">--limit</span> <span class="pre">40</span></code>, one can notice
the scan really takes a long time to terminate.</p>
<p>First of all, IVRE is not guilty here. IVRE runs Nmap, feeds it with
targets, and wait for its output. You would get the same results using
the same Nmap options as IVRE.</p>
<p>That being said, we have several ways to speed up a scan.</p>
<section id="use-masscan-rather-that-nmap">
<h3>Use Masscan rather that Nmap<a class="headerlink" href="#use-masscan-rather-that-nmap" title="Link to this heading"></a></h3>
<p>This is pretty radical, and have an important drawback: Masscan
results gather less intelligence than Nmap (a lot less in some
situations).</p>
<p>However, it is often the only option to get comprehensive scans of the
IPv4 routable address space.</p>
<p>A trade-off could be, for some protocols, to use Zmap /
Zgrab2. Compare the possibilities of Masscan (<code class="docutils literal notranslate"><span class="pre">--banner</span></code>) versus
Zgrab2 for the protocol(s) you want to scan.</p>
<p>IVRE will happily combine results from Nmap, Masscan and Zgrab /
Zgrab2: you can build your own, perfectly suited, scanning solution
and use IVRE to merge and browse the results.</p>
</section>
<section id="parallelize-nmap-scans">
<h3>Parallelize Nmap scans<a class="headerlink" href="#parallelize-nmap-scans" title="Link to this heading"></a></h3>
<p>Another option is to run several Nmap processes instead of
one. Theoretically it should not work, since Nmap is supposed to
handle efficiently the resources, but it has proven useful in several
situations, particularly when scanning heavily filtered hosts or
random hosts across the Internet.</p>
<p>For that, one can either use an agent (see
<a class="reference internal" href="../install/agents.html#agents"><span class="std std-ref">Agents</span></a>) or <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">runscans</span> <span class="pre">--output</span>
<span class="pre">XMLFork</span> <span class="pre">--processes</span> <span class="pre">&lt;n&gt;</span></code> where <code class="docutils literal notranslate"><span class="pre">&lt;n&gt;</span></code> is the number of simultaneous
Nmap processes to use.</p>
</section>
</section>
<section id="can-ivre-be-used-to-look-for-xxx">
<h2>Can IVRE be used to look for XXX?<a class="headerlink" href="#can-ivre-be-used-to-look-for-xxx" title="Link to this heading"></a></h2>
<p>IVRE is not a scanner or a network traffic analyzer. It relies on
tools like Nmap, Masscan, ZGrab2, and Zeek, parses their results and
stores them in a database.</p>
<p>So when you are asking, for example, “can IVRE scan a network for
hosts with the <a class="reference external" href="https://en.wikipedia.org/wiki/Heartbleed">Heartbleed</a> vulnerability?”, in
reality you are asking two different questions:</p>
<ul class="simple">
<li><p>“Can Nmap or Masscan or Zgrab2 detect when a scanned hosts is
vulnerable to the Heartbleed vulnerability?”</p></li>
<li><p>“How can IVRE list the hosts that have been found vulnerable to
Heartbleed by Nmap or Masscan?”</p></li>
</ul>
<p>The first question is not related to IVRE (and should probably be
asked to Nmap, Masscan or Zgrab2 developers), but the second question
is (and may be asked as a <a class="reference external" href="https://github.com/ivre/ivre/issues/new?labels=question">“question” labeled issue</a>).</p>
<p>For that particular Heartbleed example, Nmap, Masscan and Zgrab2 can
(reliably) report hosts with the Heartbleed vulnerability, and IVRE
can be used to find such hosts.</p>
</section>
<section id="how-can-i-configure-iptables-to-get-logs-used-by-flow2db-tool">
<h2>How can I configure iptables to get logs used by flow2db tool<a class="headerlink" href="#how-can-i-configure-iptables-to-get-logs-used-by-flow2db-tool" title="Link to this heading"></a></h2>
<p>When you don’t have access to low level network data, an easy way to
discover a part of network traffic is to use netfilter logs collected
via syslog.</p>
<p>To be efficient, all the systems must have iptables activated and
configured to send logs.</p>
<p>For example</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">-</span><span class="n">A</span> <span class="n">INPUT</span>   <span class="o">-</span><span class="n">j</span> <span class="n">LOG</span> <span class="o">--</span><span class="n">log</span><span class="o">-</span><span class="n">prefix</span> <span class="s2">&quot;IPTABLES/INPUT: &quot;</span>
<span class="o">-</span><span class="n">A</span> <span class="n">OUTPUT</span>  <span class="o">-</span><span class="n">j</span> <span class="n">LOG</span> <span class="o">--</span><span class="n">log</span><span class="o">-</span><span class="n">prefix</span> <span class="s2">&quot;IPTABLES/OUTPUT: &quot;</span>
<span class="o">-</span><span class="n">A</span> <span class="n">FORWARD</span> <span class="o">-</span><span class="n">j</span> <span class="n">LOG</span> <span class="o">--</span><span class="n">log</span><span class="o">-</span><span class="n">prefix</span> <span class="s2">&quot;IPTABLES/FORWARD: &quot;</span>
</pre></div>
</div>
<p>To log all traffic, the rules can be set at the top of all rules. Be
careful with the OUTPUT rule if the logs are sent over the network!</p>
<p>On the syslog server or on each host, just run grep to collect the
data needed for the iptables flow2db parser:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>$<span class="w"> </span>grep<span class="w"> </span>-l<span class="w"> </span><span class="s1">&#39;IPTABLES/&#39;</span><span class="w"> </span>/var/log/syslog<span class="w"> </span>/var/log/kernel.log<span class="w"> </span>...<span class="w"> </span><span class="se">\</span>
<span class="w">    </span>&gt;<span class="w"> </span>syslog-iptables.log
</pre></div>
</div>
<p>Then import data to ivredb using flow2db tool:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>$<span class="w"> </span>ivre<span class="w"> </span>flow2db<span class="w"> </span>-t<span class="w"> </span>iptables<span class="w"> </span>syslog-iptables.log
</pre></div>
</div>
</section>
</section>


           </div>
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="screenshots.html" class="btn btn-neutral float-left" title="Screenshots gallery" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../install/index.html" class="btn btn-neutral float-right" title="Installation" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2011 - 2025, Pierre LALET.</p>
  </div>

  Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
    <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
    provided by <a href="https://readthedocs.org">Read the Docs</a>.
   

</footer>
        </div>
      </div>
    </section>
  </div>
  <script>
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script> 

</body>
</html>